EU declares data protection agreement ‘Safe Harbour’ invalid

Europe’s highest court just rejected the ‘safe harbour’ agreement used by tech companies. So what now for businesses?

What is the Safe Harbour Agreement?

In the European Economic Area (EEA) if organisations wish to collect, control or possess data about European individuals they are subject to provisions of EU data protection law. If the transfer is outside the EEA, the EU imposes an absolute prohibition on transferring data unless countries and organisations can provide ‘adequate’ levels of protection. In 2000, the Safe Harbour Agreement was drawn up by the European Commission which provided an automatic ‘adequate’ standard, for companies in the US who voluntarily signed up to the agreement. Over the past 15 years, this agreement has allowed 4,000 US entities (including Apple, Google, Facebook, Twitter, Coca Cola and eBay) to self-certify that they complied with EU standards and to freely receive transfers of personal data.

The EU Ruling

Back in 2013, Max Schrems (an Austrian privacy campaigner) brought a claim to the Irish Data Protection Commission (DPC) about the transfer of his personal data from Facebook Ireland Limited (Facebook’s European limb) to its servers in the US. He argued that given the revelations made by Edward Snowden concerning surveillance of data from American security agencies, the US should no longer be considered to provide an adequate level of protection. The case was initially rejected by the Irish DPC, however upon appeal to the Irish High Court, it was transferred to the Court of Justice for the European Union (CJEU). On 6 October 2015, the CJEU decided that the Safe Harbour Agreement did not provide adequate protection and additionally that the Irish DPC must examine Mr Schrems’ complaint and decide whether transfer of data of Facebook’s European subscribers should be suspended.

What does the ruling mean?

The US will no longer be able to rely solely on the terms of Safe Harbour; instead they will have to operate under EU legislation as do other countries outside the EEA wishing to receive data. As a result, US companies or companies using US data storing facilities will have to ensure compliance with EU data protection law. Additionally, member states may need to create their own regulatory mechanism to fill the gap that will be left by the invalidity of Safe Harbour, or choose to suspend the transfer of data to the US.

What are the implications for businesses?

The impact on the big Silicon Valley companies such as Facebook and Google is likely to be limited to paperwork, as many had already taken steps to protect themselves prior to the judgment. However, the suspension of Safe Harbour could negatively impact Europe’s economy and hurt small and medium-sized companies both in the US and Europe. In particular, the small companies that use US-based cloud service (like online accounts and Customer Relationship Management software) will face the greatest consequences.

So what option do businesses have now?

Option 1 – Move the hosting of EU data to the EU instead of in the US. However, this has additional costs and could be problematic, as the company would need to meet the requirements of each individual Country’s data protection legislation.

Option 2 – Seek the free direct consent of the data subject. This can be problematic when there are existing relationships. Also if they do not consent, then what? Additional problems arise in relation to employees who are asked to consent, as they may feel pressured to give the consent freely, thus making consent invalid.

Option 3 – Model clauses. These are pre-approved clauses that can be added into contracts (new and existing) to cover the new requirements. This is the most likely option for the majority of businesses.

If you have any queries or require further advice on complying with these new obligations, please contact Antony Hall, Partner and Head of Commercial at Mincoffs Solicitors, on 0191 281 6151 or email ahall@mincoffs.co.uk.